How to clear arp cache on schedule



  • Hi all,
    I couldn't find an answer in the forum so I'm posting here…sorry if it's already been asked and answered.

    Ok, I need to set up our pfsense box to clear its arp cache on a weekly schedule, but I'm not sure how to set it up. Any help would be appreciated.

    Thanks!


  • Rebel Alliance Global Moderator

    you do understand that pfsense cache length is only 1200 seconds

    sysctl -a | grep net.link.ether.inet.max_age
    net.link.ether.inet.max_age: 1200

    What would clearing that every week accomplish?



  • Thanks for the quick reply johnpoz…

    I've been losing internet connectivity more and more often over the past 3 months, and according to my ISP there are no problems with their cable modem. This is a new pfsense box with the exact same settings as the pfsense box it replaced (the original pfsense box ran problem-free for a couple of years). The fix so far has been to clear the arp cache in the cable modem or reboot it altogether. When that doesn't restore internet connectivity I have to clear the arp cache in my pfsense box. Since I can't control clearing the arp cache in the cable modem from the outside, my ISP has recommended that I set up a scheduled arp cache clear command to run on schedule; I figured a week should do the trick. I'm open to suggestion based on best practices...thx!


  • Rebel Alliance Global Moderator

    Entries in your arp cache should only be there for max 1200 seconds (20 minutes) if your not talking to whatever it is was you were talking too when entry was created.

    I would suggest next time you have a problem, look in you cache to what could be the problem.  If your saying clearing it fixes the problem - then your caching a bad mac for your gateway maybe?  But clearly the arp table on a schedule would not fix that issue….



  • You have a good point…I'll review the logs the next time the problem occurs...thanks!



  • On cable, that kind of sounds like someone might be ARP poisoning the subnet. Could just be a problem on the ISP's network. ARP cache is very short lived, in the worst case scenario with defaults it'd take 20 minutes to switch over, if your ISP changed their router's hardware address at the exact time your machine did an ARP query.

    Next time it happens, check what's in the ARP cache, then clear it, and compare afterwards. Can post back the ARP table both before and after if you're not sure what it's showing/telling.



  • thanks cmb!



  • Well, we lost internet access just after noon today, and according to our ISP they couldn't find anything wrong. I checked the logs and found the following entry just before we lost our connection:  apinger: ALARM: WANGW(xxx.xxx.xxx.xxx) *** down ***
    I found some references to the Gateway Monitoring feature in PFsense and how ISPs are known to ignore the requests at the gateway, resulting in the PFsense box "timing out" after not seeing any responses, and shutting down the WAN port.
    I checked the Disable Gateway Monitoring box to keep the PFsense box from timing out…now it's time to wait and see if the problem comes back or goes away once and for all.  Thanks everyone for your help...this is a great product and an awesome community!



  • The gateway going down is a symptom, not a cause, of the problem.


  • Rebel Alliance Global Moderator

    And when this went down did you look at your arp cache?  What did you have for your isp gateway??  Did you flush your cache, what did you have then.

    Pretty sure this was clearly stated to look in the arp cache, since you say flushing it fixes your issue.  But now when it goes down you don't even look there??



  • CMB…agreed

    JOHNPOZ...I just realized that my last post was incomplete...yes, I looked at the arp cache and yes it was showing the ISP gateway. Flushing the arp cache didn't do anything so I had to reboot the pfsense box to get back online. Remember, this happened in the middle of the day, with several critical services depending on our internet connection, so I didn't have the luxury of time on my side. So far so good with our internet connectivity...keeping my fingers crossed that disabling the gateway monitoring feature works, at least for now.



  • I have seen this problem before.
    1. check the cables first.
    2. Next is your box is connected directly to the cable modem and not into a switch then the cable modem.  If it is connected to a switch connect it directly and see if it happens cheap switches will do this and higher end switches will do this also if they are not set up correctly.  
    3. what cable modem and service are you using? If it is comcast go into the modem and disable smart packet inspection or call them and have them do it as this will cause the problem you are seeing as well.
    4. are you using running snort on the box if so make sure it is not blocking you wan connection.



  • Thanks for the additional info mschiek01.
    Cables are good.
    Pfsense box is connected directly to cable modem.
    Using Cox cable service and I already spoke with them about using spi or anything else that might hinder traffic…nothing is set up in the cable modem at this time.
    Not running snort on the pfsense box.

    By the way, so far so good...no hiccups since I disabled gateway monitoring...fingers crossed!



  • Try to setting up a  "Cron Job" (the easy way is to just choose option 8 shell and type "arp -d -a"
    Thats it..


  • Rebel Alliance Global Moderator

    Wiz – nice to have you on the forums, but you might want to actually read a thread before you post ;)